“The best way for any provider to mitigate the risk of a cybersecurity incident and/or privacy violation is to have a third party conduct a comprehensive risk analysis.”
More than 500 individuals affected; five new enforcement actions published.
The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) released breach data based upon 2020 breaches affecting more than 500 individuals. Additionally, five new enforcement actions were published. Both underscore the continued focus by HHS-OCR on both privacy and security violations of HIPAA and the HITECH Act.
Pursuant to the HITECH Act, section 13402(e)(4), HHS lists breach cases (affecting 500 or more individuals) currently under investigation. Of the nearly 349 data breaches reported thus far in 2020, the following types of incidents are the most prevalent:
- 232 entries (66%) – Hacking/IT incident
- 73 entries (21%) – Unauthorized access/disclosure
- 24 entries (7%) – Theft
- 10 entries (3%) – Improper disposal
- 10 entries (3%) – Loss
The prevalence of hacking/IT and unauthorized access/disclosure incidents should not be surprising, especially because they can often go hand-in-hand. A recent report from CynergisTek found that “only 44% of healthcare organizations, including hospitals, health systems and third-party vendors, are meeting national cybersecurity standards.” (emphasis added). And, “bigger healthcare institutions with larger budgets didn’t necessarily perform better when it comes to security,” and some “performed worse than smaller organizations or those that invested less.” Armed with this knowledge, the best way for any provider to mitigate the risk of a cybersecurity incident and/or privacy violation is to have a third party conduct a comprehensive risk analysis. When I conduct annual risk analyses for my clients, we evaluate technology in relation to the regulations and NIST standards and look for appropriate, but cost-effective ways to mitigate risk and remain compliant.
Another focus of HHS-OCR is Privacy Rule violations continues to be a patient’s right to access his/her health records and designated record set. Recently, HHS announced, OCR Settles Five More Investigations in HIPAA Right of Access Initiative. The five entities ran the gamut in terms of size and types of persons. The five settlements include the following:
- Housing Works, Inc. – a New York City based non-profit organization paid $38,000 and adopted a corrective action plan for failing to provide a patient with a copy of his medical records.
- All Inclusive Medical Services, Inc. – a California based multi-specialty family practice clinic paid $15,000 and adopted a corrective action plan for failing to provide a patient with a copy of her medical records.
- Beth Israel Lahey Health Behavioral Services – a large Massachusetts based network of mental health and substance use disorder services paid $70,000 and adopted a corrective action plan for failing to respond to a personal representative seeking access to her father’s medical records.
- King MD – a small Virginia based psychiatric services provider agreed to pay $3,500 and adopt a corrective action plan for failing to provide a patient her medical records.
- Wise Psychiatry, PC – a small Colorado based psychiatry provider agreed to pay $10,000 and adopted a corrective action plan for failing to provide a personal representative with access to his minor son’s medical records.
There are a couple of items to consider in relation to these five settlements. First, HIPAA does not use the term “mental health records” but instead refers to psychotherapy notes, which have a very different meaning. Some states, including Texas, use the term “mental health records.” Second, substance use disorder records may also implicate violations of 42 CFR Part 2. Finally, some states have laws protecting certain types of information that a parent or legal representative may request regarding a minor. Each individual state law should be checked first before agreeing or not agreeing to provide a minor’s protected health information.
In sum, HHS-OCR remains committed to HIPAA violations. Covered entities, business associates, and subcontractors alike should pay attention and continually monitor compliance initiatives.